[Snort-sigs] filter http traffic

Joel Esler jesler at ...435...
Sun May 20 11:32:11 EDT 2012

Yes, it is possible. I suggest capturing a packet flow of you doing the search, then you should be able to see the structure of the query much better. 

Joel Esler

On May 19, 2012, at 9:26 AM, Sdflkaj Jksdfj <kenterer1 at ...3680...> wrote:

> Hey there,
> i want to filter search requests to e.g. google which have certain keywords.
> my suggestion is the following:
>  alert tcp any any -> any any (pcre: "/(keyword1|keyword2)*/"; msg: "someone searches for rootkit or malware in google bing or yahooo"; sid: 1000004;rev:1;) 
>  Since i want to be able to use regular expressions i use PCRE. However this line only gives alarm if i use the "url bar" of the browser to search for   keywords. if i visit google.com and type the keywords in the input box, there is no alarm  going of . : / 
> i would appreciate any inspiration.
> cheers
> kenterer
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120520/9880d27a/attachment.html>

More information about the Snort-sigs mailing list